pilcrowonpaper / copenhagen Goto Github PK
View Code? Open in Web Editor NEWA basic guideline on implementing auth for the web
Home Page: https://thecopenhagenbook.com
License: MIT License
A basic guideline on implementing auth for the web
Home Page: https://thecopenhagenbook.com
License: MIT License
I can translate the book to Arabic, but we need malta to support internationalization first
The "Sessions" guide contains the following:
CSRF protection must be implemented when using cookies, and using the SameSite flag is not sufficient.
This is somewhat true, but there is some additional nuance here.
My understanding is that SameSite=Lax
(or Strict
) is sufficient CSRF protection if the following conditions are met:
GET
requests aren't used to mutate data on the server.As with anything related to auth, there are plenty of edge-cases (as listed above) but generally I think SameSite=Lax
or SameSite=Strict
could be recommended as a sufficient method of CSRF protection in certain circumstances.
Interested to hear your thoughts and, if you agree, I'm happy to modify the "SameSite cookie attribute" section of the "CSRF" guide to include this info.
In various journeys of an applications functions it's possible to infer the presence of a identity such as
New user sign up is provided an email that is checked 'that account already exists' <-- this is a point of enumeration
Forgotten Password is often a point of enumeration too altho often a little noisier <-- user doesn't exist versus email sent
Login page also a point of enumeration <-- user does not exist versus incorrect password
Areas like these should either send to the user's provided email address actions to authenticated such as how Spotify's magic link works or send an email suggesting someone has attempted to sign up using this email address if the account doesn't exist yet
where an application cannot do this, it must be aware of the enumeration and scraping potential
Does this make sense ?
I can put something in long form if needed, but in principle, how are re defending from scraping and inference based learning for unauthenticated visitors
I'm not sure if this should be part of the book since it's more general security rather than auth related
Describe and compare different ways to implement rate-limiting
Unfortunately I've never implemented SAML before
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.